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Abstract — Malicious softwares or malwares for short have 
become a major security threat. While originating in criminal 
behavior, their impact are also influenced by the decisions of 
legitimate end users. Getting agents in the Internet, and in 
networks in general, to invest in and deploy security features 
and protocols is a challenge, in particular because of economic 
reasons arising from the presence of network externalities. 

In this paper, we focus on the question of incentive alignment 
for agents of a large network towards a better security. We 
start with an economic model for a single agent, that determines 
the optimal amount to invest in protection. The model takes 
into account the vulnerability of the agent to a security breach 
and the potential loss if a security breach occurs. We derive 
conditions on the quality of the protection to ensure that the 
optimal amount spent on security is an increasing function of 
the agent's vulnerability and potential loss. We also show that 
for a large class of risks, only a small fraction of the expected 
loss should be invested. 

Building on these results, we study a network of interconnected 
agents subject to epidemic risks. We derive conditions to ensure 
that the incentives of all agents are aligned towards a better 
security. When agents are strategic, we show that security 
investments are always socially inefficient due to the network 
externalities. Moreover alignment of incentives typically implies 
a coordination problem, leading to an equilibrium with a very 
high price of anarchyQ 



I. Introduction 

Negligent users who do not protect their computer by regu- 
larly updating their antivirus software and operating system 
are clearly putting their own computers at risk. But such 
users, by connecting to the network a computer which may 
become a host from which viruses can spread, also put (a 
potentially large number of) computers on the network at risk 
1 2 1, [3|. This describes a common situation in the Internet and 
in enterprise networks, in which users and computers on the 
network face epidemic risks. Epidemic risks are risks which 
depend on the behavior of other entities in the network, such 
as whether or not those entities invest in security solutions 
to minimize their likelihood of being infected. [4] is a recent 
OECD survey of the misaligned incentives as perceived by 
multiple stake-holders. Our goal in this paper is to study 
conditions for alignment of incentives for agents of a large 
network subject to epidemic risks and its implications for the 
equilibria. 
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reviewers for valuable comments. 



Our work allows a better understanding of economic net- 
work effects: there is a total effect if one agent's adoption of 
a protection benefits other adopters and there is a marginal 
effect if it increases others' incentives to adopt it (we refer to 
Section 3 of for a comprehensive survey about network 
effects). In information security economics, the presence of 
the total effect has been the focus of various recent works 
starting with Varian's work [6]. When an agent protects itself, 
it benefits not only to those who are protected but to the whole 
network. Indeed there is also an incentive to free-ride the total 
effect. Those who invest in self-protection incur some cost and 
in return receive some individual benefit through the reduced 
individual expected loss. But part of the benefit is public: the 
reduced indirect risk in the economy from which everybody 
else benefits. As a result, the agents invest too little in self- 
protection relative to the socially efficient level. The efficiency 
loss (referred to as the price of anarchy) has been quantified 
in various game-theoretic models iTTH. M. Efl. iflOl. ifTTTl. lfl2l 



In this paper, we focus on the marginal effect and its 
relation to the coordination problem (see Section 3.4 in [5 1). To 
understand the mechanism of incentives regarding security in a 
large network, we need to analyze how an increase in the total 
population adopting security will impact one agent's incentive 
to adopt it. To do so, we use a monotone comparative statics 
approach and start with an economic model for a single agent 
that determines the optimal amount to invest in protection. We 
follow the approach proposed by Gordon and Loeb in (131 . 
They found that the optimal expenditures for protection of an 
agent do not always increase with increases in the vulnerability 
of the agent. Crucial to their analysis is the security breach 
probability function which relates the security investment and 
the vulnerability of the agent with the probability of a security 
breach after protection. This function can be seen as a proxy 
for the quality of the security protection. Our first main result 
(Theorem [TJ gives sufficient conditions on this function to 
ensure that the optimal expenditures for protection always 
increase with increases in the vulnerability of the agent (this 
sensitivity analysis is called monotone comparative statics in 
economics). From an economic perspective, these conditions 
will ensure that all agents with sufficiently large vulnerability 
value the protection enough to invest in it. We also extend 
a result of lfl3l and show (Theorem |2} that if the security 
breach probability function is log-convex in the investment, 
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then a risk-neutra^ agent never invests more than 37% of the 
expected loss. 

Building on these results, we study a network of intercon- 
nected agents subject to epidemic risks. We model the effect of 
the network through a parameter 7 describing the information 
available to the agent and capturing the security state of 
the network. We show that our general framework extends 
previous work |S), lfT4ll and allows to consider a security 
breach probability function depending on the parameter 7 and 
possibly other private informations on the vulnerability of the 
asset. Our third main result (Theorem gives sufficient con- 
ditions on this function to ensure that the optimal protection 
investment always increases with an increase in the security 
state of the network. 

This property will be crucial in our last analysis: we use 
our model of interconnected agent in a game theoretic setting 
where agents anticipate the effect of their actions on the 
security level of the network. We diverge form most of the 
literature on security games (some exceptions are [15], (SJ, 
1 16 1) and relax the complete information assumption, i.e. each 
player's security breach probability is not common knowledge 
but instead a private information. In our model only global 
statistics are publicly available and agents do not disclose any 
information concerning their own security strategy. 

We show how the monotonicities (or the lack of monotonic- 
ities) impact the equilibrium of the security game. In partic- 
ular, alignment of incentives typically implies a coordination 
problem, leading to an equilibrium with a very high price of 
anarchy. Moreover, we distinguish two parts in the network 
externalities that we call public and private. Both types of 
externalities are positive since any additional agent investing in 
security will increase the security level of the whole network. 
However, the effect of this additional agent will be different 
for an agent who did not invest in security from an agent 
who already did invest in security. The public externalities 
correspond to the network effect on insecure agents while the 
private externalities correspond to the network effect on secure 
agents (also called total effect in the economics literature (51). 

As a result of this separation of externalities, some sur- 
prising phenomena can occur: also both externalities are 
positive, there are situations where the incentive to invest 
in protection decreases as the fraction of the population 
investing in protection increases. This is an example where 
the total effect holds but the marginal effect fails (which is 
essentially a case where Segal's increasing externalities ifTTl 
or Topkis'supermodularity lfl8l fails). We also show that in the 
security game, security investments are always inefficient due 
to the network externalities. This raises the question whether 
economic tools like insurance [19], [20|, [21 J could be used 
to lower the social inefficiency of the gamqj? 

The rest of the paper is organized as follows. In Section HI1 
the optimal security investment for a single agent is analyzed. 
In Section |IIIJ we extend it to an interconnected agent and 

2 i.e an agent indifferent to investments that have the same expected value: 
such an agent will have no preference between i) a bet of either 100$ or 
nothing, both with a probability of 50% and ii) receiving 50$ with certainty 

3 Note that in this case the risk-neutral assumption made in this paper should 
be replaced by a risk-adverse assumption. 



show it connects with the epidemic risk model. Finally in 
Section [IV] we consider the case where agents are strategic. 
We introduce the notion of fulfilled expectations equilibrium 
and show our main game theoretic results. 

II. Optimal security investment for a single 

AGENT 

In this section, we present a simple one-period model of 
an agent contemplating the provision of additional security 
to protect a given information set introduced by Gordon and 
Loeb in iTHl . In one-period economic models, all decisions 
and outcomes occur in a simultaneous instant. Thus dynamic 
aspects are not considered. 

A. Economic model of Gordon and Loeb 

The model is characterized by two parameters I and v (also 
Gordon and Loeb used a bit more involved notation). The 
parameter I represents the monetary loss caused by a security 
breach. The parameter I 6 R + is a positive real number. The 
parameter v represents the probability that without additional 
security, a threat results in the information set being breached 
and the loss I occurs. The parameter v is called the vulnerabil- 
ity of the asset. Being a probability, it belongs to the interval 
[0,1]. 

An agent can invest a certain amount x to reduce the 
probability of loss to p(x,v). We make the assumptions 
p(0, v) = v and since p(x, v) is a probability we assume that 
for all x > and v G [0, 1] we have < p(x, v) < v. The 
function p{x, v) is called the security breach probability. 

The expected loss for an amount x spent on security is given 
by tp{x, v). Hence if the agent is risk neutral, the optimal 
security investment should be the value x* minimizing 



min {£p{x, v) + x : x > 0} . 



(1) 



We define the set of optimal security investment by 
(f(v,£) — argmin {£p(x, v) + x : x > 0}. Clearly in general 
the function <p is set-valued and we will deal with this fact 
in the sequel. For now on, assume that the function 92 is real- 
valued, i.e. sets reduce to singleton. As noticed in |[T3l . it 
turns out that the function <f{v,£) does not need to be non- 
decreasing in (v, 1) for general functions p{x, v). An example 
given in [13| is pgl{x,v) — v ax+1 , where the parameter 
a > is a measure of the productivity of information security. 
This class of security breach probability functions has the 
property that the cost of protecting highly vulnerable informa- 
tion sets becomes extremely expensive as the vulnerability of 
the information set becomes very close to one. This is not the 
only class of security breach functions with this property. Their 
simplicity allows to gain further insights into the relationship 
between vulnerability and optimal security investment. 

Indeed, an interior minimum x* > is characterized by the 
first-order condition: 



(2) 



In the particular case where pql(x,v) — v txx + l i we obtain 
dP Q^ L (%, v) — (a logv )v ax+l . So that solving Equation (0, 

— log(— la. log v) 1 

ex log v a. ' 



we get (Pgl(v,£) 
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Fig. 1, Function i/3gl (d, Q as a function of the vulnerability v and with 
parameters: £ = 10 and a = 0.5, 1, 1.5 (red, green, brown) 



Figure Q] shows the optimal security investment for various 
values of a and £ as a function of the vulnerability v. In 
particular, we see that the optimal investment is zero for low 
values of the vulnerability and also for high values of the 
vulnerability. In other words, in this case, the marginal benefit 
from investment in security for low vulnerability information 
sets does not justify the investment since the security of the 
information set is already good. However if the information set 
is extremely vulnerable, the cost of security is too high to be 
'profitable', in the sense that there is no benefit in protecting 
it. 

B. Sufficient conditions for monotone investment 

In this section, we derive sufficient conditions on the 
probability loss in order to avoid the non-monotonicity in the 
vulnerability of the information set. In such a case, the infor- 
mation security decision is simple since there is an augmenting 
return of investment with vulnerability: the security manager 
needs to adjust the security investment to the vulnerability. 
Also the security provider should set the price of its solution 
so as to remain in a region where such monotonicity is valid. 

First we need to define the monotonicity of a set-valued 
function. We say that the set-valued function / : M™ — > 2 R 
is non-decreasing if for any x L , x H G M n with x L < x H 
(for the product order), we have for any y L G f(x L ) and any 
y H G f(x H ): y L < y H . 

We start with a particular case (its proof will follow from 
our more general result and is given at the end of this section): 

Proposition 1. Assume that the function p(x, v) is twice 
continuously differentiable on R + x [0, 1]. If 

d 2 p 



and, 



dxdv 



(x,v) < 



(3) 



then the function (v,£) i— > (p(v,£) is non-decreasing in (v,£). 

Remark 1. The first condition requires that the function 
p(x, v) is non-increasing in x, i.e. the probability of a security 
break is lowered when more investment in security is done. 
In the particular case of Pgl described above, we have 
%xdv ( x ' v ) = ctv ax (1 + a{ax + 1) log v). In particular 
%xdv ( x ' 1) = a > and we see that the function Pql 
does not satisfy the conditions of the proposition which is in 
agreement with the fact that the associated function ifQ l is 
not monotone in v. 



It turns out that we often need to deal with cases where 
the choice sets are discrete. In reality, discrete investments in 
new security technologies are often more natural, resulting in 
discontinuities. For example the amount x could live in a space 
X C M+ having empty interiors. In these cases, Proposition 
[T] is useless. In order to extend it, we introduce the notion 
of general submodular functions (see Topkis [22]). We first 
define the two operators A and V in W 1 : 

x Ay = sup{t G E n , t < x; t < z/}and, 
xWy = inf{t G K", t > x; t > y}. 

A set S C K™ is a lattice if for any x and y in S, the elements 
x Ay and x V y are also in S. A real valued function / on 
a lattice S is submodular if for all x and y in S, fix A y) + 
f(x V y) < f(x) + f(y). f is strictly submodular on S if 
the inequality is strict for all pairs x, y in S which cannot be 
compared with respect to >, i.e such that neither x > y nor 
y > x holds. 

We are now ready to state our main first result which is an 
adaptation of Theorem 6.1 in ll22l : 

Theorem 1. Let S = [0, 1] x R+. If the function f : X x S -> 
K is strictly submodular in the variables x and v in X x [0, 1] 
for any fixed £ and in the variables x and £ in X x for 
any fixed v, then <p(v, I) = argmin{/(a;,w,f) : x G X} is 
non-decreasing. 

Remark 2. Note that this Theorem does not require to take 
f(x, v, €) = tp(x, v) + x. In particular it can also be applied 
to the case of risk-adverse agents in which case f depends on 
the (concave) expected utility function of the agent. 

Proof: If x < x' and x ^ x', then x < x' is written. By 
the definition of strict submodularity, we see that we have for 

x' > x and (v',f) > (v,£): 

f(x',v',£') + f(x,v,l') < f(x',v,l') + f(x,v',l') 
f(x',v,e') + f(x,v,£) < f(x',v,£) + f(x,v,£'), 

so that we get 

f(x',v',£') + f(x,v,£) < f(x',v,£) + f(x,v',£'). 

This shows that / has strictly increasing differences in 
(x,v,£), i.e. f(x,v,£) — f(x,v',£') is strictly increasing in 
x for all (v',e') > (v,£). 

Consider (v',£') > (v,£) and we now show that y > x for 
y G (p(v',£') and x G tp(v,£). Suppose that x > y, so that 
x V y > y. Since y G cp(v' ,£') and x G p(v,£), we have 

f(x\/y,v',£') > f(y, v',£') and, 
f(xAy,v,£) > f(x,v,£). 

Using the fact that / has strictly increasing differences, and 
x V y > y, we get: 

f(xVy,v',£')-f(y,v',£') < f(xVy,v,£)-f(y,v,£). 
By the definition of submodularity, we have: 

f(xVy,v,t)-f(y,v,e) < f(x, v, £) — f(x A y, v, £) 



4 



Hence we finally get: 

< f(xVy,v',£')-f(y,v',£') 
< f(x,v,£)-f(xAy,v,£)<0, 

which provides the desired contradiction. ■ 

Remark 3. It follows from the proof, that the sufficient condi- 
tions on f to insure that (p is non-decreasing, are equivalent 
to: f(x,V,£) — f(x,v',£') is strictly increasing in x for all 
(v',£')>(v,£). 

Proof: of Proposition Q] 
It follows from the definition of submodularity, that if / 
is twice-continuously differentiable, then dx g v (x, v, £) < 
implies that / is strictly submodular in the variables x and v in 
X x [0. 1] for any fixed I. Taking, f(x. v. () = lp{x, v)+x, we 
get q x q v (x, v, I) = £ q x q v (x, v), we get one of the condition of 
Proposition Q] The other condition comes from the symmetric 
condition on /: -§^qi{x,v,£) < 0. ■ 



C. A simple model and the 1/e rule 

Consider now a scenario, where there are K possible 
protections, where K can be infinite. Each protection j is 
characterized by a cost denoted Xj > and a function Sj (v) 
from [0, 1] to [0, 1] with the following interpretation: if the 
system has a probability of loss v without the protection j, 
applying the protection j will lower this probability by a factor 
of Sj(v) (at a cost Xj) 

If an agent applies two different protections say i and j, 
then we will assume that the resulting probability of loss is 
Si(v)sj(v). The rational behind this assumption is that the 
protections are independent in a probabilistic sense. The prob- 
ability of a successful attack is the product of the probabilities 
to elude each of the protections. 

For a total budget of x, the agent will choose the sub- 



set J e [K] = {1,2,..., A"} such that Y,jeJ x j ^ 
x and which minimizes the final probability of loss 
Ylj£.j s j( v )- Hence we define the function p : K + — > 

R+ by, p(x,v) = inf \j\jeJ s j( v ) sX T, j& j x j < x ], 
so that the optimal security investment problem is still 
given by (Q3. The problem of deriving the function 
p(x, v) is a standard integer linear programming prob- 
lem which can be rewritten as follows \ogp(x,v) = 

inf {Ete[K] e<logSj(«)| e t e {0,l},£i £ [K] e t x t < xj. 

Our aim here is not to address issues dealing with com- 
plexity (this problem is known as the knapsack problem) and 
we will consider the relaxed problem where a 6 [0,1]. In 
this case, the problem is a linear program which is a convex 
optimization problem. The important thing for us is that the 
function x M> p(x, v) is log-convex in x. We then have the 
following generalization of Gordon and Loeb's Proposition 3: 

Theorem 2. If the function x t— > p(x, v) is non-increasing 
and log-convex in x then the optimal security investment is 
bounded by £v/e. 



Proof: We denote x* the optimal investment and p* = 
p(x*,v), so that 

tp* + x* < £p(x, v) + x. (4) 

We denote f(x) = \og£p(x,v). Firs assume that x n> p(x,v) 
is continuously differentiable so that we have 



f(x) > f(x*) + f'(x*)(x-x*) 



(5) 



where, in the last equality, we used ©. Hence we have, /(0) > 
log£p* + j-;, which can be rewritten as 

o x * ( x * K * 
iv- — exp — - — > x . 

£p* V J ~ 
The theorem follows in this case from the observation that 
zexp(— z) < e _1 for z > 0. 

If we do not assume that x i-> p(x, v) is continuously 
differentiable, we will show © using ©. Namely, suppose 
there exists x' > such that 

f( x ') < log£p*--^(x'-x*). 

Then by convexity, we have for any a 6 [0, 1], 

f(ax' + (l-a)x*) < f(x*) + a(f(x')-f(x*)) 

< log£p*-— (x'-x*). 
6 1 £p* y ' 

However, by ©, we also have 

f(ax' + (1 - a)x*) > log (£p* - a(x' - x*)) 

= log£p*--^(x'-x*) + 0(a 2 ), 

and we obtain a contradiction. Hence (O is still true in this 
case and we can finish the proof as above so that the statement 
of the theorem holds. ■ 
Theorem |2] shows that for a broad class of information 
security breach probability function, the optimal security in- 
vestment is always less than 37% of the expected loss without 
protection. Note that the function pa l introduced above does 
not satisfy the conditions of Theorem Q] but is log-convex so 
that in this case, the optimal security investment is always 
less than 37% of the expected loss. Indeed, we saw that for 
high values of the vulnerability, the optimal investment is zero. 
We end this section with another function p(x, v) = -, — 
with a, b > 0, which satisfies both the conditions of Theorems 
Q] and [2] Hence in this case, the optimal security investment 
increases with the vulnerability but remains below 37% of the 
expected loss without protection. 

III. Optimal security investment for an 

INTERCONNECTED AGENT 

We now extend the previous framework in order to model an 
agent who needs to decide the amount to spend on security if 
this agent is part of a network. In this section, we give results 
concerning the incentives of an agent in a network. In the 
next section, we will consider a security game associated to 
this model of agent and determine the equilibrium outcomes. 
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A. General model for an interconnected agent 

In order to capture the effect of the network, we will assume 
that each agent faces an internal risk and an indirect risk. 
As explained in the introduction, the indirect risk takes into 
account the fact that a loss can propagate in the network. 
The estimation of the internal risk depends only on private 
information available to the agent. However in order to decide 
on the amount to invest in security, the agent needs also to 
evaluate the indirect risk. This evaluation depends crucially on 
the information on the propagation of the risk in the network 
available to the decision-maker. We now describe an abstract 
and general setting for the information of the agent. 

We assume that the information concerning the impact of 
the network on the security of the agent is captured by a 
parameter 7 living in a partially ordered set Y (poset, i.e 
a set on which there is a binary relation that is reflexive, 
antisymmetric and transitive). Indeed this assumption is not 
a technical assumption. The interpretation is as follows: 7 
captures the state of the network from the point of view of 
security and we need to be able to compare secure states from 
unsecure ones. 

Given 7 G Y, the agent is able to compute the probability 
of loss for any amount x G X invested in security which is 
denoted by p(x,v,j). We still assume that the agent is risk 
neutral , so that the optimal security investment is given by: 

(p(v, t, 7) = argmin{£p(a;, v, 7) + x : x G X}. (6) 

Note that in our model we consider that only global statistics 
about the network are available to all agents. The state of 
the network 7 is public. A 'high' value of 7 corresponds 
to a secure environment, typically with a high fraction of 
the population investing in security while a 'low' value of 
7 corresponds to an unsecure environment with few people 
investing in security. For example, in the epidemic risk model 
described below, decision regarding investment are binary 
and the public information consists of the parameters of the 
epidemic risk model (which are supposed to be fixed) and the 
fraction 7 of the population investing in security. Then for any 
7 G [0, 1], the agent is able to compute p(x, v, 7) as explained 
below. Note that in our model, the vulnerability v of an agent 
is an intrinsic parameter of this agent, in particular it does not 
depend on the behavior of others or 7. 

B. Epidemic risks model 

In order to gain further insight, we consider in this section 
the case of economic agents subject to epidemic risks. This 
model was introduced in [8]. We concentrate here on a sim- 
plified version presented in [14|. In this section, we focus on 
the dependence of p(x, v, 7) in x and 7. For ease of notation, 
we remove the explicit dependence in the vulnerability v. 

For simplicity, we assume that each agent has a discrete 
choice regarding self-protection, so that X = {0, 1}. If she 
decides to invest in self-protection, we set x = 1 and say that 
the agent is in state S as secure, otherwise we set x — and 
say that the agent is in state N as non-secure or negligent. 
Note that if the cost of the security product is not one, we can 
still use this model by normalizing the loss £ by the cost of the 



security investment. In order to take her decision, the agent 
has to evaluate p(0, 7) and p(l, 7). To do so, we assume that 
global statistics on the network and on the epidemic risks are 
publicly available and that the agent uses a simple epidemic 
model that we now describe. 

Agents are represented by vertices of a graph and face two 
types of losses: direct and indirect (i.e. due to their neighbors). 
We assume that an agent in state S cannot experience a direct 
loss and an agent in state N has a probability p of direct 
loss. Then any agent experiencing a direct loss 'contaminates' 
neighbors independently of each others with probability q if 
the neighbor is in state S and q + if the neighbor is in state 
N, with q + > q. Since only global statistics are available for 
the graph, we will consider random families of graphs G^ n ' 
with n vertices and given vertex degree with a typical node 
having degree distribution denoted by the random variable D 
(see [ 23 1). In all cases, we assume that the family of graphs 
is independent of all other processes. All our results are 
related to the large population limit (n tends to infinity). In 
particular, we are interested in the fraction of the population 
in state S (i.e. investing in security) and denoted by 7. 

Using this model the agent is able to compute the functions 
p(0,7) and ^(1,7) thanks to the following result proved in 
|H) and J24] (using a local mean field): 

Proposition 2. Let vE'(x) = E[x-°] be the generating function 
of the degree distribution of the graph. For any 7 G [0, 1], 
there is a unique solution in [0, 1] to the fixed point equation: 
y = l - 7^(1 - qy) - (1 - 7) (1 - - q + y), denoted 

by 2/(7). Moreover the function 7 \-> 2/(7) is non-increasing 
in 7. Then we have, p(l,7) = 1 — ^(1 — qy{"f)), p(0,"/) = 
l-(l-p)*(l-«+y(7)). 

If we define ^(7) = p(0, 7) — p(l,j) as the difference of 
the two terms given in Proposition |2j we see that the optimal 
decision is: 

Ihi^j) > 1 <^> agent invests. (7) 

This equation can be seen as a discrete version of (f2]). If the 
benefit of the protection which is th(^f) is more than its cost 
(here normalized to one), the agent decides to invest, otherwise 
the agents does not invest. In particular, we observe that the 
condition for the incentive to invest in security to increase with 
the fraction of population investing in security is given by: 

M7) = p(0, 7) — PO-ilf) i s an increasing function. (8) 

We show in the next section that this result extends to a much 
more general framework. 

Before that, we recall some results of [14] describing two 
simple cases, one where the condition ^ holds and the other 
where it does not. The computation presented in this section 
are done for the standard Erdos-Renyi random graphs: G^ n ' — 
G(n, X/n) on n nodes {0, 1, . . . , n— 1}, where each potential 
edge 0<i<j<n — lis present in the graph with 

probability X/n, independently for all n(n — l)/2 edges. Here 
A > is a fixed constant independent of n equals to the 
(asymptotic as n — > 00) average number of neighbors of an 
agent. As explained in the next section, these results extend 
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to a much more general framework without modifying the 
qualitative insights. 

We will consider two cases: 

Strong protection: an agent investing in protection cannot 
be harmed at all by the actions or inactions of others: q = 0. 
In this case, we have p(l, 7) = so that ^1(7) = p(0, 7) which 
is clearly a non-increasing function of 7 as depicted on Figure 

El 




0.7 0.8 0.9 1.0 



Fig. 2. Function ^1(7) for strong protection as a function of 7; A = 10, 
q+ = 0.5, p = 0.01 



As 7 the fraction of agents investing in protection increases, 
the incentive to invest in protection decreases. In fact, it is less 
attractive for an agent to invest in protection, should others 
then decide to do so. As more agents invest, the expected 
benefit of following suit decreases since there is a lower 
probability of loss, the network becoming more secure. 

Weak protection: investing in protection does lower the 
probability of contagion q but it remains positive: < q < q + . 
In this case, the map 7 h4 ^1(7) can be non-decreasing for 
small value of 7 and decreasing for values of 7 close to one 
(see Figure[3]l. For small values of 7, the incentive for an agent 




Fig. 3. Function ^1(7) for weak protection as a function of 7; A = 10, 
q+ = 0.5, p+ = 0.01 and q = 0.1 



to invest in security actually increases with the proportion 
of agents investing in security (recall Condition ((8]l). We 
will see in the next section, that this alignment of incentives 
is responsible for a coordination problem when agents are 
strategic. 

C. Sufficient conditions for monotone investment in a network 

We now show how the condition ([S]) extends to a general 
framework. This extension is given by the following result: 



Theorem 3. If the function p(x, v, 7) — p(x, v ', 7') is strictly 
increasing in x € X for any (u',7') > (i>, 7) and the function 
p{x, v, 7) is non-increasing in x, then ip{v, £, 7) defined in ([6]) 
is non-decreasing. 

Proof: As noticed in Remark [3] we need to prove that 
our condition ensures that £p(x, v, 7) — £'p(x, v' , 7') is strictly 
increasing in x £ X for any (v',£', 7') > (v,£, 7). If £ — £', 
this follows from the condition of the theorem. We now deal 
with the case £' > £, Let x' > x, then by the condition of the 
theorem, we have 

£p(x , u, 7) — £p(x' , v , 7') > £p{x, u, 7) — lp{x, v 1 , 7'), 

but since £' > £ and p(x, v', 7') —p(x\ v', 7') > for x' > x, 
we also have 

£p(x , v , 7') — £ p(x , v, , 7') > £p(x, v , 7') — £ p(x, v , 7'). 

Summing these inequalities gives exactly the desired result. ■ 

Remark 4. Clearly, the condition of Theorem \3\ translates in 
the setting described in Section [III-B\ to p(0, 7) — p(0, 7') < 
p(l,7) — p(l,7'), for any 7' > 7, which corresponds exactly 
to (®. 

In the particular case where T is a subset of R, and under 
some smoothness conditions, we obtain: 

Proposition 3. If the function p(x,v,"f) is twice continuously 
differentiable on X x [0, 1] x V, then sufficient conditions 
for (p(v,£,~f) to be non-decreasing are: §£(x,v,~f) < 0, 



< 0. 



As we will see in the next section satisfying the conditions 
of Theorem [3] (or Proposition |3]l ensures that the incentives in 
the population are aligned but this might lead to a coordination 
problem. 

IV. Equilibrium analysis of the security game 

We now present our results in a game-theoretic framework 
where each agent is strategic. We assume that the effect of 
the action of any single agent is infinitesimal but each agent 
anticipates the effect of the actions of all other agents on the 
security level of the network. 

A. Information structure and fulfilled expectations equilibrium 

In most of the literature on security games, it is assumed 
that the player has complete information. In particular, each 
player knows the probability of propagation of the attack or 
failure from each other player in the network and also the 
cost functions of other players. In this case, the agent is able 
to compute the Nash equilibria of the games (if no constraint 
is made on the computing power of the agent) and decides on 
her level of investment accordingly. In particular, the agent is 
able to solve (|6]l for all possible values of 7 which capture the 
decision of all other agents. Note that even if only binary 
decisions are made by agents the size of the set T grows 
exponentially with the number of players in the network. 
Moreover in a large network, the complete information as- 
sumption seems quite artificial, especially for security games 
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where complete information would then implies that the agents 
disclose information on their security strategy to the public and 
hence to the potential attacker! 

Here we relax the assumption of complete information. As 
in previous section, we assume that each agent is able to 
compute the function p(x, v,j) based on public information 
and on the epidemic risk model. The values of the possible loss 
I and the vulnerability v are private information of the agent 
and vary among the population. In order to define properly 
the equilibrium of the game, we assume that all players are 
strategic and are able to do this computation. Hence if a player 
expect that a fraction 7 e of the population invests in security, 
she can decide for her own investment. We assume that at 
equilibrium expectations are fulfilled so that at equilibrium the 
actual value of 7 coincides with r y e . This concept of fulfilled 
expectations equilibrium to model network externalities is 
standard in economics (see Section 3.6.2 in |5l). 

We now describe it in more details. For simplicity of 
the presentation, we do not consider the dependence in the 
vulnerability v since in the security game, we focus on the 
monotonicity in 7 which will turn out to be crucial. We also 
consider that the choice regarding investment is binary, i.e. 
X = {0,1}. 

We consider a heterogeneous population, where agents 
differ in loss sizes only. This loss size I is called the type 
of the agent. We assume that agents expect a fraction 7 e of 
agents in state S, i.e. to make their choice, they assume that the 
fraction of agents investing in security is 7 e . We now define 
a network externalities function that captures the influence of 
the expected fraction of agents in state S on the willingness 
to pay for security. Let the network externalities function be 
ft,(7 e ). More precisely, for an agent of type £, the willingness 
to pay for protection in a network with a fraction -f e of the 
agents in state S is given by £h(^ e ) so that if 

£h("f e ) > c, (where c is the cost of the security option) (9) 

the agent will invest and otherwise not. Hence (O is in 
accordance with Q (where the cost was normalized to one). 
Note that here, we do not make any a priori assumption on 
the network externalities function h which can be general and 
fit to various models. 

Indeed, our model corresponds exactly to the multiplicative 
formulation of Economides and Himmelberg [25 1 which al- 
lows different types of agents to receive differing values of 
network externalities from the same network. As explained 
above, agents with low I have little or no use for the protection 
whereas agents with high £ value highly security. This is taken 
into account in our model since for a fixed expected fraction of 
agents in state S, agents with high £ have a higher willingness 
to pay for self-protection than agents with low £. 

Let the cumulative distribution function of types be F{£), 
i.e the fraction of the population having type lower than £ is 
given by F(£) < 1. We make the following hypothesis: 

Hypothesis 1. F{£) is continuous with positive density every- 
where on its support which is normalized to be [0, 1]. 

Note in particular that F is strictly increasing and it follows 
that the inverse F^ 1 ^) is well-defined for 7 G [0, 1]. 



Given expectation 7 e and cost for protection c, all agents 
with type £ such that £h( r y e ) > c will invest in protection. 
Hence the actual fraction of agents investing in protection is 
given by 7 = 1 — F (mm ( j^^ , l)) ■ Hence following |25l . 
we can invert this equation and we define the willingness to 
pay for the last agent in a network of size 7 with expectation 
7 e as 

u;( 7l7 e ) = h( 1 e )F- 1 (l~ 1 ). (10) 

Seen as a function of its first argument, this is just an inverse 
demand function: it maps the quantity of protection demanded 
to the market price. Because of externalities, expectations 
affect the willingness to pay: 

|^( 7 ,7 e ) = W^l-T)- (ID 

For goods that do not exhibit network externalities, demand 
slopes downward: as price increases, less of the good is 
demanded. This fundamental relationship may fail in goods 
with network externalities. If h'(.) > 0, then the willingness 
to pay for the last unit may increase as the number expected 
to be sold increases as can be seen from (TTTT) : ^§(7, 7 e ) > 0. 
For example in [25 1 studying the FAX market, as more and 
more agents buy a FAX, the utility of the FAX increases since 
more and more agents can be reached by this communication 
mean. For a fixed cost c, in equilibrium, the expected fraction 
7 e and the actual one 7 must satisfy 

c=w{ 1 , 1 e ) = h{~f e )F- x (l- 1 ). (12) 

If we assume moreover that in equilibrium, expectations are 
fulfilled, then the possible equilibria are given by the fixed 
point equation: 

c = 1^(7,7) = h(f)F-\l - 7) =: w(j). (13) 

We see that if h'(.) > 0, the concept of fulfilled expectations 
equilibrium captures the possible increase in the willingness to 
pay as the number expected to be sold increases. This would 
corresponds to the case where we have 11/(7) > for some 
values of 7. In such cases, a critical mass phenomenon (as 
in the FAX market 11251 ) can occurs : there is a problem of 
coordination. We explain this phenomenon more formally in 
the next section and then show how our results differ from 
l25l . We end this section with the following important remark: 

Remark 5. The case of an homogeneous population in which 
all agents have the same type, i.e the same loss size £ 
corresponds to the function F -1 being constant equal to £. 
In this case, the willingness to pay is simply w{^) = h("f)£. 
In particular, the epidemic risk model presented above can be 
used to model the network externalities by the function h(-j) 
computed in Section |7Z/] In this case, Condition © still gives 
a condition for incentives to be align. As we will see next, this 
condition might lead to critical mass: if incentives are aligned, 
there is a coordination problem! 
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B. Critical mass: coordination problem 

To determine the possible equilibria, we analize the shape 
of the fulfilled expectations demand w(-f). First we have 
w(0) > which is equal to the value of the self-protection 
assuming there are no network externalities. We also have 
w(l) — since by Hypothesis Q] we have F _1 (0) = 0. 
In words, this means that there are agents with very low £ 
who have little or no interest in self-protection. Then in order 
to secure completely the network, we have to convince even 
agents of very low willingness to pay. 

The slope of the fulfilled expectations demand is 

Ki) 



w'{i) 



+ h'{ 1 )F-\l- 1 ). 



(14) 



F'(F-i(l- 7 )) 

The first term measures the slope of the inverse demand 
without taking into account the effect of the expectations. The 
second term corresponds to the effect of an increase in the 
expected fraction of agents in state S. If h'(.) > as in 1251 , it 
corresponds to the increase in the willingness to pay of the last 
agent investing in self-protection created by his own action in 
joining the group of agents in state S. Note that in any case, if 
the fraction of agents in state S gets very large, i.e. 74 1, the 
last agent investing in self-protection has very low willingness 
to pay for it. Hence for 7 close to one, the effect of marginal 
expectations on the marginal agent investing in S is negligible. 
Formally this is observed by lim 7 _j.i hi (j)F^ 1 (1 — 7) = 0. It 
follows that 

lim 11/(7) = lim ; 7-7-^ rr = rr^r < 0. (15) 

7-»i 7-+1 F'(F- 1 (l- 7 )) F'(0) V ' 

Note that we allow F'(0) = in which case, Equation (15[ 
should be interpreted as lirn 7 _>.i 11/(7) = — 00. The sign of 
lim 7 _j.o w' (7) depends on the parameters of the model and 
we will see that it is of crucial importance. We make the 
following hypothesis 

Hypothesis 2. The function 10(7) is single-peaked. 

Note that in the case of an homogeneous population, 
10(7) = h(-f)£, where h(-f) was computed in Section [ill] for 
the epidemic risk model and is single-peaked. 

We are now ready to state the main result of this section: 

Theorem 4. Under Hypothesis\l\and\2\ a network has positive 
critical mass if lim 7 _>o ^'(7) > an d either 

(i) w(0) — 0, i.e. if all agents are in state N then no agent 
is willing to invest in self-protection; 

(ii) lim 7 ^o^'(7) is sufficiently large, i.e. there are large 
private benefits to join the group of agents in state S 
when the size of this group is small; 

(iii) lim 7 ^i F'fa) is sufficiently large, i.e. there is a signif- 
icant density of agents who are ready to invest in self- 
protection even if the number of agents already in state 
S is small. 

Remark 6. Note that if h'{^) > for small values ofj, then 
incentives are aligned by results of previous Section but this 
might lead to a coordination problem. Indeed as shown by 
previous theorem, this is a necessary condition for a network 
to exhibit positive critical mass. In the case of a homogeneous 



population (see Remark\5}, the function 1^(7) is proportional 
to the function h("/) computed in Section 17771 for the epidemic 
risk model. In particular, in the case of weak protection, there 
is positive critical mass as shown by Figure \3\ 

Proof: Since we proved that 7 i-> w(j) is decreasing for 
7 close to one, there are only two possibilities: either is is 
increasing for small values of 7 or it is decreasing for all 7. 
As explained in Lemma 1 of [25|, the network has a positive 
critical mass if and only if 7 H» w(j) is increasing for small 
values of 7. 




Fig. 4. Willingness to pay curve (or demand curve) 10(7) 

This is illustrated thanks to Figure [4] (which should be 
compared to Figure |3J. Recall that in equilibrium, we have 
^(7*) = h('y*)F" 1 (l — 7*) = c - If we imagine a constant 
cost c decreasing parametrically, the network will start at a 
positive and significant size 7 corresponding to a cost c°. 
For each smaller cost c 1 < c < c°, there are three values of 
7* consistent with c: 7* = 0; an unstable value of 7* at the 
first intersection of the horizontal through c with 10(7); and 
the Pareto optimal stable value of 7* at the largest intersection 
of the horizontal with w(j). 

As explained above, a network exhibits a positive critical 
mass if and only if lim 7 ^o ^'(7) > 0. Now by ( TBI , we 

-, note that 
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have lim 7 ^ w'(7) = lim 7 ^ V(7) - hnhy ^ lF , (ry) , 
h(0) = w(0) and the theorem follows easily. ■ 
We finish this section by explaining the main difference 
between our model and models with standard positive exter- 
nalities. Informally, in the model of ll25l for the FAX market, 
when a new agent buys the good (a FAX machine), he has a 
personal benefit and he also increases the value of the network 
of FAX machines. This is a positive externality which are felt 
only by the adopters of the good. Indeed, when this agent 
buys the good, this is a negative externality on the agents 
who did not buy the good (see [26], Example A9 in ifTTl ). 
In our case, when an agent chooses to invest in security, the 
externalities are always positive and we have to distinguish 
between two positive externalities: one is felt by the agents in 
state S and the other is felt by the agent in state N. Indeed as 
7 increases, both populations experience a decrease of their 
probability of loss but the value of this decrease is not the 
same in both populations. We call the 'public externalities' 
the decrease felt by agents in state N and it is given by 
5(7) — p(0j 0)— p(0, 7) > 0. We call the 'private externalities' 
the decrease felt only by agents in state S and it is given by 
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g{i) + Hi) = p(o, o) - P (i, 7 ) > g{n). 

First note that the notations are consistent. In particular, 
Equation (O still gives the willingness to pay for self- 
protection in a network with a fraction j e of the agents in state 
S. We are still dealing with positive externalities, however 
this does not imply that h'{.) > (as it is the case in [25 1). 
Instead, positive externalities (i.e. the fact that both the public 
externalities 5(7) and the private externalities 3(7) + h(j) are 
increasing in 7) only ensures that: 

</(.) > and, «/(.) + h'{.) > 0. (16) 

Assumption ( fToT ) ensures the sensible fact that the more agents 
invest in self-protection, the more secure the network becomes 
(this is the total effect). If in addition, h'(.) > 0, then 
adoption of security increases others' incentive to invest (this 
is the marginal effect) and there might be a critical mass 
effect. Recent works on the marginal effect include Segal's 
increasing externalities [17] or Topkis'supermodularity ff8l . 
On the contrary when h'(.) < 0, there is no coordination 
problem (no critical mass). However, we show in the next 
section that even in this case, the equilibrium is not socially 
efficient. The intuition for this fact is that incentives are not 
anymore aligned and since agent benefits from the investment 
in security of the other agents, they prefers to 'free-ride' the 
investment of the other agents. 

C. Welfare Maximization 

A planner who maximizes social welfare can fully internal- 
ize the network externalities and this is the situation we now 
consider. We will show that there is always efficiency loss in 
our model with exogenous price. In other words, the price of 
anarchy is always greater than one. 

Theorem 5. Under Hypothesis\I\and\2\ a social planner will 
choose a larger fraction 7 of agents investing in self-protection 
than the market equilibrium for any fixed cost c. 

We refer to |8| for an estimate of this price of anarchy for 
the epidemic risks model presented in previous section and 
to Il24l for an extension to graphs with power-law degrees 
distribution. 

Proof: The social welfare function is: 

W(n) = 3(7) / F^il-ujdu 

+ (.9(7) + M7)) / F- 1 (l-u)^-c 7 , 
Jo 

where 3(7) — u)du is the gross benefit for the frac- 

tion of agents in state N and (5(7) + h{^)) Jo F~ x (l — u)du 
for the fraction of agents in state S and 07 are the costs. We 
denote by Bin) tne g ross benefit for the whole population so 
that W("f) = B(j) — cj, then we have: 

B'( 7 ) - fo( 7 )^- 1 (l-7) 

= +(h'h)+9'h)) f F-\l-u)du 
Jo 

+ S'(7) / F-\l-u)du. 

J y 



Recall that by (1121 1. the equilibria of the game (without the so- 
cial planner) are the values 7 such that w(j) — /i(7)F _1 (l — 
7) = c. In particular for such a value of 7, since we assume 
positive externalities ( TToT ). we have that #'(7) > w(j) = c, 
hence Win) > and the theorem follows. ■ 

V. Conclusion 

In this paper, we study under which conditions agents 
in a large network invest in self-protection. We started our 
analysis with finding conditions when the amount of invest- 
ment increases for a single agent as the vulnerability and 
loss increase. We also showed that risk-neutral agent do not 
invest more than 37% of the expected loss under log-convex 
security breach probability functions. We then extended our 
analysis to the case of interconnected agents of a large network 
using a simple epidemic risk models. We derived a sufficient 
condition on the security breach probability functions taking 
into consideration the global knowledge on the security of 
the entire network for guaranteeing increasing investment with 
increasing vulnerability. It would be interesting to use other 
epidemics models as in [27 1 to see the impact on the results 
of this section. 

Finally, we study a security game where agents anticipate 
the effect of their actions on the security level of the network. 
We showed that in all cases, the fulfilled equilibrium is not 
socially efficient. We explained it by the separation of the 
network externalities in two components: one public (felt by 
agents not investing) and the other private (felt only by agents 
investing in self-protection). We also showed that alignment 
of incentives typically leads to a coordination problem. 

In view of our results, it would be interesting to derive 
sufficient conditions for non-alignment of the incentives as 
these conditions would ensure that there is no coordination 
problem. Exploring this issue is an interesting open prob- 
lem. Another interesting direction of research concerns the 
information structure of such games. For example, in the case 
presented here of epidemic risk model, what is the impact of 
an error in the estimation of the contagion probability which 
could be for example over evaluated by the firm selling the 
security solution? Also, in our work, the attacker is not a 
strategic player: attacks are made at random with probability 
of success depending of the security level of the agent targeted. 
However if the attacker can observe the security policies taken 
by the defenders, it can exploit this information [28). An 
interesting extension would be to incorporate in our model 
such a strategic attacker as in (29). Another extension could 
also consider the supply side, i.e. the firms distributing the 
security solution in the population. Very basic cases have been 
studied 1)301 . iTJTI but again with a non strategic attacker. 
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